[mirror_edk2.git] / OvmfPkg / PlatformPei / AmdSev.c

/**@file\r
  Initialize Secure Encrypted Virtualization (SEV) support\r
\r
  Copyright (c) 2017, Advanced Micro Devices. All rights reserved.<BR>\r
\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
//\r
// The package level header files this module uses\r
//\r
#include <Library/DebugLib.h>\r
#include <Library/HobLib.h>\r
#include <Library/MemEncryptSevLib.h>\r
#include <Library/PcdLib.h>\r
#include <PiPei.h>\r
#include <Register/Amd/Cpuid.h>\r
#include <Register/Cpuid.h>\r
\r
#include "Platform.h"\r
\r
/**\r
\r
  Function checks if SEV support is available, if present then it sets\r
  the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.\r
\r
  **/\r
VOID\r
AmdSevInitialize (\r
  VOID\r
  )\r
{\r
  CPUID_MEMORY_ENCRYPTION_INFO_EBX  Ebx;\r
  UINT64                            EncryptionMask;\r
  RETURN_STATUS                     PcdStatus;\r
\r
  //\r
  // Check if SEV is enabled\r
  //\r
  if (!MemEncryptSevIsEnabled ()) {\r
    return;\r
  }\r
\r
  //\r
  // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)\r
  //\r
  AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);\r
  EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);\r
\r
  //\r
  // Set Memory Encryption Mask PCD\r
  //\r
  PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);\r
  ASSERT_RETURN_ERROR (PcdStatus);\r
\r
  DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));\r
\r
  //\r
  // Set Pcd to Deny the execution of option ROM when security\r
  // violation.\r
  //\r
  PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);\r
  ASSERT_RETURN_ERROR (PcdStatus);\r
\r
  //\r
  // When SMM is required, cover the pages containing the initial SMRAM Save\r
  // State Map with a memory allocation HOB:\r
  //\r
  // There's going to be a time interval between our decrypting those pages for\r
  // SMBASE relocation and re-encrypting the same pages after SMBASE\r
  // relocation. We shall ensure that the DXE phase stay away from those pages\r
  // until after re-encryption, in order to prevent an information leak to the\r
  // hypervisor.\r
  //\r
  if (FeaturePcdGet (PcdSmmSmramRequire) && (mBootMode != BOOT_ON_S3_RESUME)) {\r
    RETURN_STATUS LocateMapStatus;\r
    UINTN         MapPagesBase;\r
    UINTN         MapPagesCount;\r
\r
    LocateMapStatus = MemEncryptSevLocateInitialSmramSaveStateMapPages (\r
                        &MapPagesBase,\r
                        &MapPagesCount\r
                        );\r
    ASSERT_RETURN_ERROR (LocateMapStatus);\r
\r
    BuildMemoryAllocationHob (\r
      MapPagesBase,                      // BaseAddress\r
      EFI_PAGES_TO_SIZE (MapPagesCount), // Length\r
      EfiBootServicesData                // MemoryType\r
      );\r
  }\r
}\r
Commit	Line	Data
13b5d743 BS	1	/**@file\r
	2	Initialize Secure Encrypted Virtualization (SEV) support\r
	3	\r
	4	Copyright (c) 2017, Advanced Micro Devices. All rights reserved.<BR>\r
	5	\r
b26f0cf9	6	SPDX-License-Identifier: BSD-2-Clause-Patent\r
13b5d743 BS	7	\r
	8	**/\r
	9	//\r
	10	// The package level header files this module uses\r
	11	//\r
13b5d743	12	#include <Library/DebugLib.h>\r
86defc2c	13	#include <Library/HobLib.h>\r
6d576e7a	14	#include <Library/MemEncryptSevLib.h>\r
13b5d743	15	#include <Library/PcdLib.h>\r
6d576e7a	16	#include <PiPei.h>\r
13b5d743	17	#include <Register/Amd/Cpuid.h>\r
6d576e7a	18	#include <Register/Cpuid.h>\r
13b5d743	19	\r
c0d221a3 LE	20	#include "Platform.h"\r
c0d221a3 LE	21	\r
13b5d743 BS	22	/**\r
	23	\r
	24	Function checks if SEV support is available, if present then it sets\r
	25	the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption mask.\r
	26	\r
	27	**/\r
	28	VOID\r
13b5d743 BS	29	AmdSevInitialize (\r
	30	VOID\r
	31	)\r
	32	{\r
	33	CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx;\r
	34	UINT64 EncryptionMask;\r
	35	RETURN_STATUS PcdStatus;\r
	36	\r
	37	//\r
	38	// Check if SEV is enabled\r
	39	//\r
	40	if (!MemEncryptSevIsEnabled ()) {\r
	41	return;\r
	42	}\r
	43	\r
	44	//\r
	45	// CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position)\r
	46	//\r
	47	AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL);\r
	48	EncryptionMask = LShiftU64 (1, Ebx.Bits.PtePosBits);\r
	49	\r
	50	//\r
	51	// Set Memory Encryption Mask PCD\r
	52	//\r
	53	PcdStatus = PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, EncryptionMask);\r
	54	ASSERT_RETURN_ERROR (PcdStatus);\r
	55	\r
	56	DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask));\r
6041ac65 BS	57	\r
	58	//\r
	59	// Set Pcd to Deny the execution of option ROM when security\r
	60	// violation.\r
	61	//\r
	62	PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);\r
	63	ASSERT_RETURN_ERROR (PcdStatus);\r
86defc2c LE	64	\r
	65	//\r
	66	// When SMM is required, cover the pages containing the initial SMRAM Save\r
	67	// State Map with a memory allocation HOB:\r
	68	//\r
	69	// There's going to be a time interval between our decrypting those pages for\r
	70	// SMBASE relocation and re-encrypting the same pages after SMBASE\r
	71	// relocation. We shall ensure that the DXE phase stay away from those pages\r
	72	// until after re-encryption, in order to prevent an information leak to the\r
	73	// hypervisor.\r
	74	//\r
	75	if (FeaturePcdGet (PcdSmmSmramRequire) && (mBootMode != BOOT_ON_S3_RESUME)) {\r
	76	RETURN_STATUS LocateMapStatus;\r
	77	UINTN MapPagesBase;\r
	78	UINTN MapPagesCount;\r
	79	\r
	80	LocateMapStatus = MemEncryptSevLocateInitialSmramSaveStateMapPages (\r
	81	&MapPagesBase,\r
	82	&MapPagesCount\r
	83	);\r
	84	ASSERT_RETURN_ERROR (LocateMapStatus);\r
	85	\r
	86	BuildMemoryAllocationHob (\r
	87	MapPagesBase, // BaseAddress\r
	88	EFI_PAGES_TO_SIZE (MapPagesCount), // Length\r
	89	EfiBootServicesData // MemoryType\r
	90	);\r
	91	}\r
13b5d743	92	}\r